Joan Calvet @joancalvet @pinkflawd Paul Rascagnèresarchive.hack.lu/2015/TotallySpies.pdf · No...
Transcript of Joan Calvet @joancalvet @pinkflawd Paul Rascagnèresarchive.hack.lu/2015/TotallySpies.pdf · No...
Joan Calvet@joancalvet
Marion Marschalek@pinkflawd
Paul Rascagnères@r00tsbsd
Once upona time…
Once upona time…
Once upona time…
TIME
2009 20142011
TFC
NBOT
NGBD
NBOT
Obviously DDoS
No packer or crypter
C&Cs sinkholed by Kaspersky
http://dopemichael.deviantart.com/art/Dead-Bunny-Wallpaper-119327469
Bunny
SCRIPTABLE BOT
Main Thread (net.cap0)
net.cap2
net.cap1
net.cap3 Hearer 3
Hearer 2
Hearer 1
Hearer 0
Command Parsing Script Execution
HTTP
Crontasks
DB file
Backfile Thread
Perflib_Perfdat_dmpbX.dat
Response to C&C and to
dumpfile
Performance Monitor
through lua script injection
BABAR
BabarPET Persistent Elephant Threat
• Espionage par excellence• Keylogging, screenshots, audio
captures, clipboard data, what-not.
• Via local instance or through:• hooking APIs in remote processes
• after invading them via global Windows hooks
Regsvr32.exe
BabarDLL
Child instance
Main instance
Child instance
Process of
interest
Named Pipes
Global Windows hook
for WH_KEYBOARD /
WH_GETMESSAGE
API Hooking with
inline hooks
Data dump
module
Keylogger
Clipboard
snooping
Other stuffz
List of process
names from config
Modus Operandi Elephanti
Create section object with crucial information- Pipe name- number of existing instances- export name to be called
Copy function stub to target process memory
Create remote thread
- loads Babar DLL - calls indicated export- Hands over data from shared object
Happily run DLL
Regsvr32.exe
BabarDLL
Child instance
Main instance
Child instance
Invisible message-only window
Message dispatching Receive WM_INPUT register raw input device with RAWINPUTDEVICE struct as follows:
Set RIDEV_INPUTSINK flag – receive system wide input usUsagePage set to 1 – generic desktop controlsusUsage set to 6 – keyboard
On WM_INPUT call GetRawInputData
Map virtual key code to character & log to file
Main instance
Data dump
module
Keylogger
Hiding in plain sight Main instance Process of
interest
Named Pipes
Global Windows hook
for WH_KEYBOARD /
WH_GETMESSAGE
API Hooking with
trampoline
functions
Rooootkittykittykitty
Internet communication | File creation | Audio streams
Source Function
Target Function
Source Function
Target Function
Detour Function
Trampoline Function
htt
p:/
/res
earc
h.m
icro
soft
.co
m/e
n-u
s/p
roje
cts/
det
ou
rs/
“To people who ask me to compare the complexity of #Regin and
#Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” –
Paul Rascagnères
Casper is a reconnaissance tool developed in C++
Deployed in April 2014 on Syrian targets through aFlash 0day (CVE-2014-0515)
Exploit + Casper binaries + C&C server all hosted onwebsite of Syrian Justice Ministry
http://jpic.gov.sy/css/images/_cgi/index.php
Casper Playing Chess Against AVs
Payload Installation
Crash when Casper calls the (wrong) retrieved address!
Detailed report sent to C&C
C&C sends back XML file (embedded into a PNG) indicating payload to deploy
Espionage backdoor with numerous featuresFor example, complex file search requests:
“Give me all files with .doc extension, whose size is greaterthan X bytes and were modified in the last Y days”
Developed in C++ in a modular fashion
Popped up in Iran in 2013
Dino Module
NamePurpose
PSM Encrypted on disk copy of Dino modules
CORE Configuration storage
CRONTAB Tasks scheduler
ENVVAR Storage for environment variables
Dino Module
NamePurpose
PSM Encrypted on disk copy of Dino modules
CORE Configuration storage
CRONTAB Tasks scheduler
ENVVAR Storage for environment variables
Dino Module
NamePurpose
PSM Encrypted on disk copy of Dino modules
CORE Configuration storage
CRONTAB Tasks scheduler
ENVVAR Storage for environment variables
recID: 11173-01-PRS WIDESTR
Version: 1.2 WIDESTR
BD_Keys: 4D414…[REDACTED]…B3506 BYTES
ComServer0: http://azhar.bf/[REDACTED].php STR
…
Dino Module
NamePurpose
PSM Encrypted on disk copy of Dino modules
CORE Configuration storage
CRONTAB Tasks scheduler
ENVVAR Storage for environment variables
Id Cron String Local Count Command Visibility
C1 44 15 07 04 2015 * -d -1 wakeup regular
“cronlist” output:
Dino Module
NamePurpose
PSM Encrypted on disk copy of Dino modules
CORE Configuration storage
CRONTAB Tasks scheduler
ENVVAR Storage for environment variables
Dino Talks
Too Much
“decyphering failed on bd”
“Can't change the past,sorry...”
“Date is invalid ! Date Format is ddmmyyyy”
“PB, hash or size couldn't be verified so file was deleted” “No available Com Server
yet ? Try again.”
“Invalid size parameter”
RamFS
Temporary “file-system” mounted in memory from anencrypted blob stored in Dino configuration
Once mounted, RamFS remains stored in encrypted chunks,decrypted on-demand
In Dino, RamFS initially contains one file (“a.ini”), which isexecuted to remove the malware from the system
INSTALL -A "wusvcd" -U
RamFS Commands
Command Purpose
INSTALL Triggers installation or uninstallation of the malware
EXTRACT Extracts a file stored in RamFS to the real file system
EXEC Executes a file stored in RamFS
INJECT Injects a file stored in RamFS in a designated process
KILL Terminates a running process
Is RamFS Custom?
File names and file content are in Unicode
Maximum file name length is 260 characters
Unencrypted chunks are 540 bytes length
No metadata on files (?)
The link©
?
API obfuscationAll Cartoons use the same approach:
1. Load the library in memory
2. Generate a hash for eachexported function name
3. Check if the generated hash isequal to the hash that themalware wants to execute
4. if yes, execute the function
We identified 2 hash algorithms
API obfuscation
Algorithm used by Bunny & Casper
#!/usr/bin/python
CRC = 0
function = “CreateProcessW”
for i in list(function)
key = rol32(CRC, 7)
CRC = ord(i)^key
print function+”: 0x%08x” % (CRC)
CreateProcessW: 0x46318ad1
AV identificationWMI query
Windows Security Center WMI providers: ROOT\SecurityCenter (for operating systems before Windows Vista)ROOT\SecurityCenter2 (Windows Vista and newer OS)
SELECT * FROM AntiVirusProduct
class AntiVirusProduct
{
string companyName; // Vendor name
string displayName; // Application name
string instanceGuid; // Unique identifier
boolean onAccessScanningEnabled; // Real-time protection
boolean productUptoDate; // Definition state
string versionNumber; // Application version
}
AV identificationab6ed3db3c243254294cfe431a8aeada28e5741dfa3b9c8aeb54291fddc4f8c3 (AhnLab)
b3fe0e3a3e3befa152c4237b0f3a96ffaa44a2d7e1aa6d379d3a1ab4659e1676 (AntiVir)
c0ffcaf63c2ca2974f44138b0956fed657073fde0adeb0b1c940b5c45e8a5cab (avast!)
249a90b07ed10bd0cd2bcc9819827267428261fb08e181f43e90807c63c65e80 (AVG)
4b650e5c4785025dee7bd65e3c5c527356717d7a1c0bfef5b4ada8ca1e9cbe17 (CA)
c8e8248940830e9f1dc600c189640e91c40f95caae4f3187fb04427980cdc479 (DoctorWeb)
97010f4c9ec0c01b8048dbad5f0c382a9269e22080ccd6f3f1d07e4909fac1a5 (F-PROT)
aa0ad154f949a518cc2be8a588d5e3523488c20c23b8eb8fafb7d8c34fa87145 (F-Secure)
333e0a1e27815d0ceee55c473fe3dc93d56c63e3bee2b3b4aee8eed6d70191a3 (G)
d4634c9d57c06983e1d2d6dc92e74e6103c132a97f8dc3e7158fa89420647ec3 (InternetSecurity)
977781971f7998ff4dbe47f3e1d679f1941b3237d0ba0fdca90178a15aec1f52 (Jiangmin)
f1761a5e3856dceb3e14d4555af92d3d1ac47604841f69fc72328b53ab45ca56 (Kaspersky)
a48be88bed64eff941be52590c07045b896bc3e87e7cf62985651bbc8484f945 (McAfee)
2bc42b202817bdab7d49506d291e3d9624ae0069087a8949c8fcb583c73772b1 (Norton)
0d21bd52022ca7f7e97109d28d327da1e68cc0bedd9713b2dc2b49d3aa104392 (Online)
f7d9ea7f3980635237d6ea58048057c33a218f2670e0ff45af5f4f670e9aa6f4 (Panda)
522e5549af01c747329d923110c058b7bb7e112816de64bd7919d7b9194fba5b (Rising)
4db3801a45802041baa44334303e0498c2640cd5dfd6892545487bf7c8c9219f (ThreatFire)
9e217716c4e03eee7a7e44590344d37252b0ae75966a7f8c34531cd7bed1aca7 (Trend)
e1625a7f2f6947ea8e9328e66562a8b255bc4d5721d427f943002bb2b9fc5645 (VirusBuster)
588730213eb6ace35caadcb651217bfbde3f615d94a9cca41a31ee9fa09b186c (ZoneAlarm)
b39be67ae54b99c5b05fa82a9313606c75bfc8b5c64f29c6037a32bf900926dd ()
a7f9b61169b52926bb364e557a52c07b34c9fbdcd692f249cd27de5f4169e700 ()
1ba035db418ad6acc8e0c173a49d124f3fcc89d0637496954a70e28ec6983ad7 ()
Emulator detection
Samples are looking for specific sandbox process names
Also Kaspersky:lstcvix.exetudib.exeizmdmv.exeubgncn.exejidgdsp.exeevabgzib.exeqzqjafyt.execnyporqb.exe...
Bitdefender
Kaspersky
Sample ID
All samples contain same looking ID:• CSEC Slide: 08184• Dino: 11173-01-PRS• Bunny: 11206-01• Babar: 11220-01 or 12075-01• Casper 13001
Sample ID
<speculation=on>• CSEC Slide: 08184• Dino: 11173-01-PRS• Bunny: 11206-01• Babar: 11220-01 or 12075-01• Casper: 13001</speculation>
Internal naming convention
Of course the internal naming convention is a link too
Really bad English usage
C&C sharing
Directory listing on horizons-tourisme.com:./_vti_bin
./_vti_bin/index.html
./_vti_bin/_vti_msc
./_vti_bin/_vti_msc/d13
./_vti_bin/_vti_msc/d13/index_refresh.htm
./_vti_bin/_vti_msc/d13/index.html
./_vti_bin/_vti_msc/bb28
./_vti_bin/_vti_msc/bb28/_index.php
./_vti_bin/_vti_msc/bb28/storage
./_vti_bin/_vti_msc/bb28/storage/index.html
./_vti_bin/_vti_msc/bb28/index.html
./_vti_bin/_vti_msc/bb28/bbc.php
./_vti_bin/_vti_msc/bb28/config.inc
./_vti_bin/_vti_msc/tfc422
./_vti_bin/_vti_msc/tfc422/index.html
./_vti_bin/_vti_msc/index.html
Give me a “D” for
Dino
Give me 2 “B” for BaBar
Give me a “TFC” for
TaFaCalou
Attribution?
Analysis based on C&C
Compromised website (gov/university/company/...) Often WordPress websitesFake websites
0
1
2
3
4
5
6
7
8
9
Syria Iran USA Burkina Faso Hong Kong Saoudia Arabia Egypt Turkey Niger Morocco Ukraine NA
Analysis based on C&C
A few French hints
AndFINALLY…
Bernard BarbierFormer Technical Director of French Secret Service
But attribution is hard.
Thank you!
Joan Calvet@joancalvet
Marion Marschalek@pinkflawd
Paul Rascagnères@r00tsbsd
Further Reading
• Babar Reversed http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/
• Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing
• Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/
• Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html
• Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf
• Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf andhttp://www.spiegel.de/media/media-35688.pdf
• A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged-dgse-used-stackoverflow-like-to-write-their-malwares/
• http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/
• Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
• https://www.blackhat.com/docs/us-15/materials/us-15-Branco-Distributing-The-Reconstruction-Of-High-Level-Intermediate-Representation-For-Large-Scale-Malware-Analysis.pdf
Hashes
Bunny:
• 3bbb59afdf9bda4ffdc644d9d51c53e7
• b8ac16701c3c15b103e61b5a317692bc
• c40e3ee23cf95d992b7cd0b7c01b8599
• eb2f16a59b07d3a196654c6041d0066e
Babar:
• 4525141d9e6e7b5a7f4e8c3db3f0c24c
• 9fff114f15b86896d8d4978c0ad2813d
• 8b3961f7f743daacfd67380a9085da4f
• 4582D9D2120FB9C80EF01E2135FA3515
NBOT:
• 8132ee00f64856cf10930fd72505cebe
• 2a64d331964dbdec8141f16585f392ba
• e8a333a726481a72b267ec6109939b0d
• 51cd931e9352b3b8f293bf3b9a9449d2
Casper:
• 4d7ca8d467770f657305c16474b845fe
• cc87d090a1607b4dde18730b79b78632
Dino:
• 30bd27b122c117fabf5fbfb0a6cdd7ee
Other:
• bbf4b1961ff0ce19db748616754da76e
• 330dc1a7f3930a2234e505ba11da0eea